From 2b7b16cbb5b22b0fd864d3de318d4b9a91ca8eab Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 05 2015 13:23:00 +0000 Subject: import scap-security-guide-0.1.19-2.el7 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3b17f94 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/scap-security-guide-0.1.19.tar.gz diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata new file mode 100644 index 0000000..511f55a --- /dev/null +++ b/.scap-security-guide.metadata @@ -0,0 +1 @@ +f7257eb00ab18acda843d41851a430268d6bba30 SOURCES/scap-security-guide-0.1.19.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 98f42b4..0000000 --- a/README.md +++ /dev/null @@ -1,4 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch new file mode 100644 index 0000000..fac759b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch @@ -0,0 +1,26 @@ +--- scap-security-guide-0.1.19/RHEL/7/input/services/base.xml.orig 2014-09-29 07:29:50.979356661 -0400 ++++ scap-security-guide-0.1.19/RHEL/7/input/services/base.xml 2014-09-29 07:30:23.749395788 -0400 +@@ -91,23 +91,6 @@ service is not necessary. + + + +- +-Disable CPU Speed (cpuspeed) +-The cpuspeed service can adjust the clock speed of supported CPUs based upon +-the current processing load thereby conserving power and reducing heat. +- +- +- +-The cpuspeed service is only necessary if adjusting the CPU clock speed +-provides benefit. Traditionally this has included laptops (to enhance battery life), +-but may also apply to server or desktop environments where conserving power is +-highly desirable or necessary. +- +- +- +- +- +- + + Enable IRQ Balance (irqbalance) + The irqbalance service optimizes the balance between diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch new file mode 100644 index 0000000..8e4ee57 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch @@ -0,0 +1,38 @@ +--- scap-security-guide-0.1.19/RHEL/7/input/system/selinux.xml.orig 2014-09-29 06:19:27.427097200 -0400 ++++ scap-security-guide-0.1.19/RHEL/7/input/system/selinux.xml 2014-09-29 06:20:14.703998808 -0400 +@@ -117,23 +117,6 @@ targeted for exploitation, such as netwo + + + +- +-Enable the SELinux Context Restoration Service (restorecond) +-The restorecond service utilizes inotify to look +-for the creation of new files listed in the +-/etc/selinux/restorecond.conf configuration file. When a file is +-created, restorecond ensures the file receives the proper SELinux +-security context. +- +- +-The restorecond service helps ensure that the default SELinux +-file context is applied to files. This allows automatic correction +-of file contexts created by some programs. +- +- +- +- +- + + Uninstall setroubleshoot Package + The SETroubleshoot service notifies desktop users of SELinux +--- scap-security-guide-0.1.19/RHEL/7/input/fixes/bash/service_restorecond_enabled.sh 2014-09-28 07:55:58.000000000 -0400 ++++ /dev/null 2014-09-29 05:45:02.862000000 -0400 +@@ -1,9 +0,0 @@ +-# +-# Enable restorecond.service for all systemd targets +-# +-systemctl enable restorecond.service +- +-# +-# Start restorecond.service if not currently running +-# +-systemctl start restorecond.service diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch new file mode 100644 index 0000000..b34822c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch @@ -0,0 +1,14 @@ +--- scap-security-guide-0.1.19/RHEL/7/input/guide.xslt.orig 2014-09-29 07:55:24.154151816 -0400 ++++ scap-security-guide-0.1.19/RHEL/7/input/guide.xslt 2014-09-29 07:56:48.376190494 -0400 +@@ -8,10 +8,7 @@ + + + +- +- +- +- ++ + + + A conditional clause for check statements. diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch new file mode 100644 index 0000000..7cc9038 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch @@ -0,0 +1,89 @@ +--- scap-security-guide-0.1.19/RHEL/7/input/system/accounts/pam.xml.orig 2014-09-29 08:53:24.078751294 -0400 ++++ scap-security-guide-0.1.19/RHEL/7/input/system/accounts/pam.xml 2014-09-29 08:59:28.963638607 -0400 +@@ -81,33 +81,28 @@ and gives them an opportunity to notify + + + Set Password Quality Requirements +-The default pam_cracklib PAM module provides strength ++The default pam_pwquality PAM module provides strength + checking for passwords. It performs a number of checks, such as + making sure passwords are not similar to dictionary words, are of + at least a certain length, are not the previous password reversed, + and are not simply a change of case from the previous password. It + can also require passwords to be in certain character classes. +

+-The pam_passwdqc PAM module also provides the ability to enforce +-stringent password strength requirements. It is provided +-in an RPM of the same name. +-

+-The man pages pam_cracklib(8) and pam_passwdqc(8) +-provide information on the capabilities and configuration of +-each. ++The man page pam_pwquality(8) provide further information ++on the capabilities and configuration. + + + Set Password Quality Requirements, if using +-pam_cracklib +-The pam_cracklib PAM module can be configured to meet ++ pam_pwquality ++The pam_pwquality PAM module can be configured to meet + requirements for a variety of policies. +

+-For example, to configure pam_cracklib to require at least one uppercase ++For example, to configure pam_pwquality to require at least one uppercase + character, lowercase character, digit, and other (special) + character, locate the following line in /etc/pam.d/system-auth: +-
password requisite pam_cracklib.so try_first_pass retry=3
++
password requisite pam_pwquality.so try_first_pass retry=3
+ and then alter it to read: +-
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
++
password required pam_pwquality.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
+ If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. + The arguments can be modified to ensure compliance with + your organization's security policy. Discussion of each parameter follows. +@@ -268,14 +263,14 @@ is different from account lockout, which + + + Set Password to Maximum of Three Consecutive Repeating Characters +-The pam_cracklib module's maxrepeat parameter controls requirements for ++The pam_pwquality module's maxrepeat parameter controls requirements for + consecutive repeating characters. When set to a positive number, it will reject passwords + which contain more than that number of consecutive characters. Add maxrepeat=3 +-after pam_cracklib.so to prevent a run of four or more identical characters. ++after pam_pwquality.so to prevent a run of four or more identical characters. + + + To check the maximum value for consecutive repeating characters, run the following command: +-
$ grep pam_cracklib /etc/pam.d/system-auth
++
$ grep pam_pwquality /etc/pam.d/system-auth
+ Look for the value of the maxrepeat parameter. The DoD requirement is 3. + + +@@ -413,7 +408,7 @@ Note that passwords which are changed on + + + Set Password Strength Minimum Different Categories +-The pam_cracklib module's minclass parameter controls requirements for ++The pam_pwquality module's minclass parameter controls requirements for + usage of different character classes, or types, of character that must exist in a password + before it is considered valid. For example, setting this value to three (3) requires that + any password must have characters from at least three different categories in order to be +@@ -425,7 +420,7 @@ four categories available: + * Digits + * Special characters (for example, punctuation) + +-Add minclass=NUM after pam_cracklib.so entry into the ++Add minclass=NUM after pam_pwquality.so entry into the + /etc/pam.d/system-auth file in order to require differing categories of + characters when changing passwords, substituting NUM appropriately (for example to + require at least three character classes to be used in password, use minclass=3). +@@ -433,7 +428,7 @@ require at least three character classes + + To check how many categories of characters must be used in password during a password change, + run the following command: +-
$ grep pam_cracklib /etc/pam.d/system-auth
++
$ grep pam_pwquality /etc/pam.d/system-auth
+ The minclass parameter will indicate how many character classes must be used. If + the requirement was for the password to contain characters from three different categories, + then this would appear as minclass=3. diff --git a/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch b/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch new file mode 100644 index 0000000..5395704 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch @@ -0,0 +1,109 @@ +--- scap-security-guide-0.1.19/RHEL/6/input/auxiliary/scap-security-guide.8.orig 2014-10-21 09:26:33.048661043 -0400 ++++ scap-security-guide-0.1.19/RHEL/6/input/auxiliary/scap-security-guide.8 2014-10-21 09:29:18.031611398 -0400 +@@ -1,4 +1,4 @@ +-.TH scap-security-guide 8 "26 Jan 2013" "version 1" ++.TH scap-security-guide 8 "29 Sep 2014" "version 1" + + .SH NAME + SCAP Security Guide - Delivers security guidance, baselines, and +@@ -23,59 +23,24 @@ https://fedorahosted.org/scap-security-g + + + .SH PROFILES +-The SSG content is broken into 'profiles,' groupings of security settings that correlate to a known policy. Available profiles are: ++The SSG content is broken into 'profiles,' groupings of security settings that ++correlate to a known policy. Available profiles are: + +-.I stig-rhel6-server-upstream ++.I rht-cpp + .RS +-The Security Technical Implementation Guides (STIGs) and the NSA Guides are the +-configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, +-DISA Field Security Operations (FSO) has played a critical role enhancing the +-security posture of DoD's security systems by providing the Security Technical +-Implementation Guides (STIGs). This profile was created as a collaboration +-effort between the National Security Agency, DISA FSO, and Red Hat. +- +-As a result of the upstream/downstream relationship between the SCAP Security +-Guide project and the official DISA FSO STIG baseline, users should expect +-variance between SSG and DISA FSO content. For additional information relating +-to STIGs, please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/ +- +-While this profile is packaged by Red Hat as part of the SCAP Security Guide +-package, please note that commercial support of this SCAP content is NOT +-available. This profile is provided as example SCAP content with no +-endorsement for suitability or production readiness. Support for this profile +-is provided by the upstream SCAP Security Guide community on a best-effort +-basis. The upstream project homepage is https://fedorahosted.org/scap-security-guide/. +- +-.RE +-.I usgcb-rhel6-server +-.RS +-The purpose of the United States Government Configuration Baseline (USGCB) +-initiative is to create security configuration baselines for Information +-Technology products widely deployed across the federal agencies. The USGCB +-baseline evolved from the Federal Desktop Core Configuration mandate. The +-USGCB is a Federal government-wide initiative that provides guidance to +-agencies on what should be done to improve and maintain an effective +-configuration settings focusing primarily on security. +- +-.B "NOTE: " +-While the current content maps to USGCB requirements, it has NOT +-been validated by NIST as of yet. This content should be considered +-draft, we are highly interested in feedback. +- +-For additional information relating to USGCB, please refer to the NIST +-webpage at http://usgcb.nist.gov/usgcb_content.html. ++Red Hat Corporate Profile for Certified Cloud Providers (RH CCP). This is a ++*draft* SCAP profile for Red Hat Certified Cloud Providers. + .RE + +- + .SH EXAMPLES + To scan your system utilizing the OpenSCAP utility against the +-stig-rhel6-server-upstream profile: ++rht-ccp profile: + +-oscap xccdf eval --profile stig-rhel6-server-upstream \ ++oscap xccdf eval --profile rht-ccp \ + --results /tmp/`hostname`-ssg-results.xml \ + --report /tmp/`hostname`-ssg-results.html \ +---cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ +-/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml ++--cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml \ ++/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml + .PP + Additional details can be found on the projects wiki page: + https://fedorahosted.org/scap-security-guide/wiki/usageguide +@@ -99,15 +64,10 @@ ssg-{profile}-oval.xml + ssg-{profile}-xccdf.xml + .RE + +-.I /usr/share/xml/scap/ssg/guides/ +-.RS +-HTML versions of SSG profiles. +-.RE +- +-.I /usr/share/xml/scap/ssg/policytables/ ++.I /usr/share/doc/scap-security-guide-0.1.19 + .RS +-HTML tables reflecting which institutionalized policy a particular SSG rule +-conforms to. ++Contains HTML versions of the SSG profiles and also HTML tables reflecting which ++institutionalized policy a particular SSG rule conforms to. + .RE + + .SH STATEMENT OF SUPPORT +@@ -116,9 +76,9 @@ and the NSA, provides XCCDF and OVAL con + source project, community participation extends into U.S. Department of Defense + agencies, civilian agencies, academia, and other industrial partners. + +-SCAP Security Guide is provided to consumers through Red Hat's Extended +-Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security Guide +-content is considered "vendor provided." ++SCAP Security Guide is provided to consumers through Red Hat's system and content ++management services (Red Hat Network Classic or Red Hat Subscription Management). ++As such, SCAP Security Guide content is considered "vendor provided." + + Note that while Red Hat hosts the infrastructure for this project and + Red Hat engineers are involved as maintainers and leaders, there is no diff --git a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch new file mode 100644 index 0000000..65b59a6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch @@ -0,0 +1,472 @@ +diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml +index a00fc16..dc1b249 100644 +--- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml ++++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml +@@ -99,7 +99,7 @@ upstream project homepage is https://fedorahosted.org/scap-security-guide/. + + + +- ++ + + + +diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml +index adf0aaf..b2da2a4 100644 +--- a/RHEL/6/input/system/accounts/pam.xml ++++ b/RHEL/6/input/system/accounts/pam.xml +@@ -48,7 +48,7 @@ operator="equals" interactive="0"> + /etc/security/opasswd in order to force password change history and + keep the user from alternating between the same password too + frequently. +-24 ++5 + 0 + 5 + 10 +@@ -342,7 +342,7 @@ more difficult by ensuring a larger search space. + usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to + contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional + length credit for each special character. +-Add ocredit=-1 after pam_cracklib.so to require use of a special character in passwords. ++Add ocredit= after pam_cracklib.so to require use of a special character in passwords. + + + To check how many special characters are required in a password, run the following command: +@@ -357,7 +357,7 @@ more difficult by ensuring a larger search space. + + + +- ++ + + + +@@ -551,7 +551,7 @@ be accomplished by using the remember option for the pam_unix + module. In the file /etc/pam.d/system-auth, append remember= to the + line which refers to the pam_unix.so module, as shown: + 
password sufficient pam_unix.so existing_options remember=
+-The DoD and FISMA requirement is 24 passwords. ++The DoD STIG requirement is 5 passwords. + + To verify the password reuse setting is compliant, run the following command: + 
$ grep remember /etc/pam.d/system-auth
+diff --git a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml +index e4af5aa..a8e90c2 100644 +--- a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml ++++ b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml +@@ -159,7 +159,7 @@ increases the risk of users writing down the password in a convenient + location subject to physical compromise. + + +- ++ + + + +diff --git a/RHEL/7/input/checks/accounts_password_pam_minlen.xml b/RHEL/7/input/checks/accounts_password_pam_minlen.xml +new file mode 100644 +index 0000000..77f89af +--- /dev/null ++++ b/RHEL/7/input/checks/accounts_password_pam_minlen.xml +@@ -0,0 +1,40 @@ ++ ++ ++ ++ Set Password minlen Requirements ++ ++ Red Hat Enterprise Linux 7 ++ ++ The password minlen should meet minimum requirements ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/pam.d/system-auth ++ ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*minlen=(-?\d+)(?:[\s]|$) ++ 1 ++ ++ ++ ++ ++ 1 ++ ++ ++ ++ ++ ++ +diff --git a/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh b/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh +new file mode 100644 +index 0000000..5bc5b0f +--- /dev/null ++++ b/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh +@@ -0,0 +1,8 @@ ++source ./templates/support.sh ++populate var_password_pam_minlen ++ ++if grep -q "minlen=" /etc/pam.d/system-auth; then ++ sed -i --follow-symlink "s/\(minlen *= *\).*/\1$var_password_pam_minlen/" /etc/pam.d/system-auth ++else ++ sed -i --follow-symlink "/pam_pwquality.so/ s/$/ minlen=$var_password_pam_minlen/" /etc/pam.d/system-auth ++fi +diff --git a/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml +index ef079b4..19a06b3 100644 +--- a/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml ++++ b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml +@@ -2,6 +2,36 @@ + Pre-release Draft STIG for RHEL 7 Server + This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO. + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + ++ ++ ++ ++ ++ ++ + +diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml +index 3cdd433..f5d9cdf 100644 +--- a/RHEL/7/input/system/accounts/pam.xml ++++ b/RHEL/7/input/system/accounts/pam.xml +@@ -48,7 +48,7 @@ operator="equals" interactive="0"> + /etc/security/opasswd in order to force password change history and + keep the user from alternating between the same password too + frequently. +-24 ++5 + 0 + 5 + 10 +@@ -137,13 +137,14 @@ reason. + + minlen + Minimum number of characters in password +-14 ++15 + 6 + + 8 + 10 + 12 + 14 ++ + 15 + + +@@ -190,11 +191,12 @@ password + password + Keep this high for short + passwords +-4 ++15 + 2 + 3 + 4 + 5 ++15 + + + +@@ -306,10 +308,34 @@ search space. + + + +- ++ + + + ++ ++Set Password Minimum Length ++The pam_pwquality module's minlen parameter controls requirements for ++minimum characters required in a password. Add minlen= ++after pam_pwquality to set minimum password length requirements. ++ ++ ++To check how many characters are required in a password, run the following command: ++
$ grep pam_pwquality /etc/pam.d/system-auth
++Your output should contain minlen= ++ ++ ++Password length is one factor of several that helps to determine ++strength and how long it takes to crack a password. Use of more characters in ++a password helps to exponentially increase the time and/or resources ++required to compromise the password. ++ ++ ++ ++ ++ ++ ++ ++ + + Set Password Strength Minimum Uppercase Characters + The pam_pwquality module's ucredit= parameter controls requirements for +@@ -331,18 +357,18 @@ more difficult by ensuring a larger search space. + + + +- ++ + + + + + Set Password Strength Minimum Special Characters + The pam_pwquality module's ocredit= parameter controls requirements for +-usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to ++usage of special (or "other") characters in a password. When set to a negative number, any password will be required to + contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional + length credit for each special character. +-Add ocredit=-1 after pam_pwquality.so to require use of a special character in passwords. +- ++Add ocredit= after pam_pwquality.so to ++require use of a special character in passwords. + + To check how many special characters are required in a password, run the following command: + 
$ grep pam_pwquality /etc/pam.d/system-auth
+@@ -356,7 +382,7 @@ more difficult by ensuring a larger search space. + + + +- ++ + + + +@@ -381,7 +407,7 @@ more difficult by ensuring a larger search space. + + + +- ++ + + + +@@ -391,14 +417,14 @@ more difficult by ensuring a larger search space. + usage of different characters during a password change. + Add difok=NUM after pam_pwquality.so to require differing + characters when changing passwords, substituting NUM appropriately. +-The DoD requirement is 4. ++The DoD requirement is 15. + + + To check how many characters must differ during a password change, run the following command: + 
$ grep pam_pwquality /etc/pam.d/system-auth
+ The difok parameter will indicate how many characters must differ. +-The DoD requires four characters differ during a password change. +-This would appear as difok=4. ++The DoD requires 15 characters differ during a password change. ++This would appear as difok=15. + + + Requiring a minimum number of different characters during password changes ensures that +@@ -407,7 +433,7 @@ Note that passwords which are changed on compromised systems will still be compr + + + +- ++ + + + +@@ -476,13 +502,13 @@ attempts using pam_faillock.so: +

+ Add the following lines immediately below the pam_unix.so statement in AUTH section of + both /etc/pam.d/system-auth and /etc/pam.d/password-auth: +-
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
+-
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
++
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
++
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
+ + + To ensure the failed password attempt policy is configured correctly, run the following command: + 
$ grep pam_faillock /etc/pam.d/system-auth
+-The output should show deny=3. ++The output should show deny=. + + + Locking out user accounts after a number of incorrect attempts +@@ -490,7 +516,7 @@ prevents direct password guessing attacks. + + + +- ++ + + + +@@ -500,8 +526,8 @@ To configure the system to lock out accounts after a number of incorrect login + attempts and require an administrator to unlock the account using pam_faillock.so: +

+ Add the following lines immediately below the pam_env.so statement in /etc/pam.d/system-auth: +-
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
+-
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
++
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
++
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
+ + + To ensure the failed password attempt policy is configured correctly, run the following command: +@@ -527,43 +553,46 @@ attempts. +

+ Add the following fail_interval directives to pam_faillock.so immediately below the pam_env.so statement in + /etc/pam.d/system-auth and /etc/pam.d/password-auth: +-
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
+-
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
++
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
++
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
+ + + To ensure the failed password attempt policy is configured correctly, run the following command: + 
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
+-For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is 900 (15 minutes) or greater. If the fail_interval parameter is not set, the default setting of 900 seconds is acceptable. ++For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is ++ or greater. ++If the fail_interval parameter is not set, the default setting of 900 seconds is acceptable. + + + Locking out user accounts after a number of incorrect attempts within a + specific period of time prevents direct password guessing attacks. + +- ++ + +- ++ + + + + Limit Password Reuse + Do not allow users to reuse recent passwords. This can + be accomplished by using the remember option for the pam_unix PAM +-module. In the file /etc/pam.d/system-auth, append remember=24 to the ++module. In the file /etc/pam.d/system-auth, append ++remember= to the + line which refers to the pam_unix.so module, as shown: +-
password sufficient pam_unix.so existing_options remember=24
+-The DoD and FISMA requirement is 24 passwords. ++
password sufficient pam_unix.so existing_options remember=
++The DoD STIG requirement is 5 passwords. + + To verify the password reuse setting is compliant, run the following command: + 
$ grep remember /etc/pam.d/system-auth
+ The output should show the following at the end of the line: +-
remember=24
++
remember=
+ + + Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. + + + +- ++ + + + +diff --git a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml +index d79c4a8..9e56b9d 100644 +--- a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml ++++ b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml +@@ -60,8 +60,8 @@ age, and 7 day warning period with the following command: + 7 + 7 + 5 +-1 + 2 ++1 + 0 + + +@@ -131,7 +131,7 @@ after satisfying the password reuse requirement. + + + +- ++ + + + +@@ -145,7 +145,7 @@ and add or correct the following line, replacing DAYS appropriately: + A value of 180 days is sufficient for many environments. + The DoD requirement is 60. + +- ++ + To check the maximum password age, run the command: + 
$ grep PASS_MAX_DAYS /etc/login.defs
+ The DoD and FISMA requirement is 60. +@@ -157,9 +157,9 @@ periodically change their passwords. This could possibly decrease + the utility of a stolen password. Requiring shorter password lifetimes + increases the risk of users writing down the password in a convenient + location subject to physical compromise. +- ++ + +- ++ + + + +diff --git a/shared/.gitignore b/shared/.gitignore +index d7b3ccb..39328cf 100644 +--- a/shared/.gitignore ++++ b/shared/.gitignore +@@ -1,3 +1,4 @@ + # files not to track in git + *.pyc + *.ini ++*.swp +diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt +index 381d3da..41dc47e 100644 +--- a/shared/references/cce-rhel-avail.txt ++++ b/shared/references/cce-rhel-avail.txt +@@ -1,6 +1,3 @@ +-CCE-27051-2 +-CCE-26615-5 +-CCE-26763-3 + CCE-26436-6 + CCE-26989-4 + CCE-26992-8 diff --git a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch new file mode 100644 index 0000000..5bc5cc7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch @@ -0,0 +1,142 @@ +diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml +index b2da2a4..29fa69f 100644 +--- a/RHEL/6/input/system/accounts/pam.xml ++++ b/RHEL/6/input/system/accounts/pam.xml +@@ -472,12 +472,17 @@ and a second to use unlock_time and set it to a Value + Set Deny For Failed Password Attempts + + To configure the system to lock out accounts after a number of incorrect login +-attempts using pam_faillock.so: ++attempts using pam_faillock.so, modify the content of both ++/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: +

+-Add the following lines immediately below the pam_unix.so statement in AUTH section of +-both /etc/pam.d/system-auth and /etc/pam.d/password-auth: +-
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=900
+-
auth required pam_faillock.so authsucc deny= unlock_time=604800 fail_interval=900
++
    ++
  • add the following line immediately before the pam_unix.so statement in the AUTH section: ++

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately after the pam_unix.so statement in the AUTH section: ++

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: ++

    account required pam_faillock.so

    • ++
+ + + To ensure the failed password attempt policy is configured correctly, run the following command: +@@ -497,11 +502,17 @@ prevents direct password guessing attacks. + Set Lockout Time For Failed Password Attempts + + To configure the system to lock out accounts after a number of incorrect login +-attempts and require an administrator to unlock the account using pam_faillock.so: ++attempts and require an administrator to unlock the account using pam_faillock.so, ++modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: +

+-Add the following lines immediately below the pam_env.so statement in /etc/pam.d/system-auth: +-
auth [default=die] pam_faillock.so authfail deny=3 unlock_time= fail_interval=900
+-
auth required pam_faillock.so authsucc deny=3 unlock_time= fail_interval=900
++
    ++
  • add the following line immediately before the pam_unix.so statement in the AUTH section: ++

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately after the pam_unix.so statement in the AUTH section: ++

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: ++

    account required pam_faillock.so

    • ++
+ + + To ensure the failed password attempt policy is configured correctly, run the following command: +@@ -523,12 +534,16 @@ situations. + Set Interval For Counting Failed Password Attempts + + Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out accounts after a number of incorrect login +-attempts. ++attempts. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: +

+-Add the following fail_interval directives to pam_faillock.so immediately below the pam_env.so statement in +-/etc/pam.d/system-auth and /etc/pam.d/password-auth: +-
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=
+-
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=
++
    ++
  • add the following line immediately before the pam_unix.so statement in the AUTH section: ++

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately after the pam_unix.so statement in the AUTH section: ++

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: ++

    account required pam_faillock.so

    • ++
+ + + To ensure the failed password attempt policy is configured correctly, run the following command: +diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml +index f5d9cdf..e6bcd60 100644 +--- a/RHEL/7/input/system/accounts/pam.xml ++++ b/RHEL/7/input/system/accounts/pam.xml +@@ -498,12 +498,17 @@ and a second to use unlock_time and set it to a Value + Set Deny For Failed Password Attempts + + To configure the system to lock out accounts after a number of incorrect login +-attempts using pam_faillock.so: ++attempts using pam_faillock.so, modify the content of both ++/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: +

+-Add the following lines immediately below the pam_unix.so statement in AUTH section of +-both /etc/pam.d/system-auth and /etc/pam.d/password-auth: +-
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
+-
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
++
    ++
  • add the following line immediately before the pam_unix.so statement in the AUTH section: ++

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately after the pam_unix.so statement in the AUTH section: ++

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: ++

    account required pam_faillock.so

    • ++
+ + + To ensure the failed password attempt policy is configured correctly, run the following command: +@@ -523,11 +528,17 @@ prevents direct password guessing attacks. + Set Lockout Time For Failed Password Attempts + + To configure the system to lock out accounts after a number of incorrect login +-attempts and require an administrator to unlock the account using pam_faillock.so: ++attempts and require an administrator to unlock the account using pam_faillock.so, ++modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: +

+-Add the following lines immediately below the pam_env.so statement in /etc/pam.d/system-auth: +-
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
+-
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
++
    ++
  • add the following line immediately before the pam_unix.so statement in the AUTH section: ++

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately after the pam_unix.so statement in the AUTH section: ++

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: ++

    account required pam_faillock.so

    • ++
+ + + To ensure the failed password attempt policy is configured correctly, run the following command: +@@ -549,12 +560,16 @@ situations. + Set Interval For Counting Failed Password Attempts + + Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out accounts after a number of incorrect login +-attempts. ++attempts. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: +

+-Add the following fail_interval directives to pam_faillock.so immediately below the pam_env.so statement in +-/etc/pam.d/system-auth and /etc/pam.d/password-auth: +-
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
+-
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
++
    ++
  • add the following line immediately before the pam_unix.so statement in the AUTH section: ++

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately after the pam_unix.so statement in the AUTH section: ++

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

    • ++
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: ++

    account required pam_faillock.so

    • ++
+ + + To ensure the failed password attempt policy is configured correctly, run the following command: diff --git a/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch b/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch new file mode 100644 index 0000000..2b77b38 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch @@ -0,0 +1,24 @@ +diff --git a/RHEL/7/input/profiles/rht-ccp.xml b/RHEL/7/input/profiles/rht-ccp.xml +index e611421..5236ffa 100644 +--- a/RHEL/7/input/profiles/rht-ccp.xml ++++ b/RHEL/7/input/profiles/rht-ccp.xml +@@ -18,7 +18,7 @@ + + + +- ++ + + + +diff --git a/shared/fixes/bash/accounts_password_pam_unix_remember.sh b/shared/fixes/bash/accounts_password_pam_unix_remember.sh +index 04e0767..98aecef 100644 +--- a/shared/fixes/bash/accounts_password_pam_unix_remember.sh ++++ b/shared/fixes/bash/accounts_password_pam_unix_remember.sh +@@ -4,5 +4,5 @@ populate var_password_pam_unix_remember + if grep -q "remember=" /etc/pam.d/system-auth; then + sed -i --follow-symlink "s/\(remember *= *\).*/\1$var_password_pam_unix_remember/" /etc/pam.d/system-auth + else +- sed -i --follow-symlink "/^password[\s]sufficient[\s]pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth ++ sed -i --follow-symlink "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth + fi diff --git a/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch b/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch new file mode 100644 index 0000000..03cdfd6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch @@ -0,0 +1,20 @@ +diff --git a/RHEL/7/Makefile b/RHEL/7/Makefile +index c3be98b..0f15c1d 100644 +--- a/RHEL/7/Makefile ++++ b/RHEL/7/Makefile +@@ -44,11 +44,12 @@ checks: + + guide: shorthand2xccdf + # remove auxiliary Groups which are only for use in tables, and not guide output. +-# specifying a nonexistent profile, "allrules," to make oscap print all Rules + xsltproc -o $(OUT)/unlinked-rhel7-xccdf-guide.xml $(TRANS)/xccdf-removeaux.xslt $(OUT)/unlinked-rhel7-xccdf.xml + xsltproc -o $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml $(TRANS)/xccdf-removetested.xslt $(OUT)/unlinked-rhel7-xccdf-guide.xml +- oscap xccdf generate guide --profile allrules $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml > $(OUT)/rhel7-guide.html +- xsltproc -o $(OUT)/rhel7-guide-custom.html $(TRANS)/xccdf2html.xslt $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml ++# OpenSCAP-1.1.1 expects exact profile name in order to include also rules into guide ++# Create guide for RHT-CCP profile ++ oscap xccdf generate guide --profile rht-ccp $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml > $(OUT)/rhel7-ccp-guide.html ++ xsltproc -o $(OUT)/rhel7-ccp-guide-custom.html $(TRANS)/xccdf2html.xslt $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml + + # example, if needed: for converting XCCDF into shorthand + #xccdf2shorthand: diff --git a/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch b/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch new file mode 100644 index 0000000..e88e7a4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch @@ -0,0 +1,51 @@ +diff --git a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh +index ca11120..b1dbd3a 100644 +--- a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh ++++ b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh +@@ -1,18 +1,36 @@ + source ./templates/support.sh + populate var_accounts_passwords_pam_faillock_deny + +-for pamFile in "/etc/pam.d/system-auth /etc/pam.d/password-auth" +-do ++AUTH_FILES[0]="/etc/pam.d/system-auth" ++AUTH_FILES[1]="/etc/pam.d/password-auth" + +- if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then +- sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile +- else +- sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile +- fi ++for pamFile in "${AUTH_FILES[@]}" ++do + +- if grep -q "^auth.*[default=die].*pam_faillock.so.*authsucc.*deny=" /etc/pam.d/system-auth; then +- sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authsucc.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile ++ # pam_faillock.so already present? ++ if grep -q "^auth.*pam_faillock.so.*" $pamFile; then ++ ++ # pam_faillock.so present, deny directive present? ++ if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then ++ ++ # both pam_faillock.so & deny present, just correct deny directive value ++ sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile ++ sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile ++ ++ # pam_faillock.so present, but deny directive not yet ++ else ++ ++ # append correct deny value to appropriate places ++ sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile ++ sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile ++ fi ++ ++ # pam_faillock.so not present yet + else +- sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authsucc/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile ++ ++ # insert pam_faillock.so preauth & authfail rows with proper value of the 'deny' option ++ sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile ++ sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile ++ sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account required pam_faillock.so" $pamFile + fi + done diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec new file mode 100644 index 0000000..ce8bb89 --- /dev/null +++ b/SPECS/scap-security-guide.spec @@ -0,0 +1,214 @@ +%global redhatssgversion 19 + +Name: scap-security-guide +Version: 0.1.%{redhatssgversion} +Release: 2%{?dist} +Summary: Security guidance and baselines in SCAP formats + +Group: System Environment/Base +License: Public Domain +URL: https://fedorahosted.org/scap-security-guide/ + +Source0: http://repos.ssgproject.org/sources/%{name}-%{version}.tar.gz +Patch1: scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch +Patch2: scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch +Patch3: scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch +Patch4: scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch +Patch5: scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch +Patch6: scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch +Patch7: scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch +Patch8: scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch +Patch9: scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch +Patch10: scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch +BuildArch: noarch + +BuildRequires: libxslt, expat, python, openscap-scanner >= 1.1.1, python-lxml +Requires: xml-common, openscap-scanner >= 1.1.1 + +%description +The scap-security-guide project provides a guide for configuration of the +system from the final system's security point of view. The guidance is +specified in the Security Content Automation Protocol (SCAP) format and +constitutes a catalog of practical hardening advice, linked to government +requirements where applicable. The project bridges the gap between generalized +policy requirements and specific implementation guidelines. The Red Hat +Enterprise Linux 7 system administrator can use the oscap command-line tool +from the openscap-utils package to verify that the system conforms to provided +guideline. Refer to scap-security-guide(8) manual page for further information. + +%prep +%setup -q -n %{name}-%{version} +# For RHEL-7 include only RHT-CCP profile +%patch1 -p1 -b .rht-ccp-only +# Drop restorecond due to https://github.com/OpenSCAP/scap-security-guide/issues/258 +%patch2 -p1 -E -b .drop-restorecond +# Drop cpuspeed rule since obsoleted in Fedora-16 by cpupower from kernel-tools RPM +# http://marc.info/?l=fedora-devel-list&m=131107769617369&w=2 +%patch3 -p1 -b .drop-cpuspeed +# Update manual page to be more appropriate against RHEL-7 +%patch4 -p1 -b .manual-page +# Update pam.xml to use pam_pwquality instead of pam_cracklib +%patch5 -p1 -b .replace-pam_cracklib +# Fix 'Limit Password Reuse' remediation error +%patch6 -p1 -b .reuse +# Fix 'Set Deny For Failed Password Attempts' remediation error +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 -b .set-deny +# Specify exact profile name when generating RHEL-7 HTML guide +%patch10 -p1 -b .exact-profile + +%build +(cd RHEL/6 && make dist) +(cd RHEL/7 && make dist) + +%install + +mkdir -p %{buildroot}%{_datadir}/xml/scap/ssg/content +mkdir -p %{buildroot}%{_mandir}/en/man8/ + +# Add in RHEL-7 core content (SCAP) +cp -a RHEL/7/dist/content/* %{buildroot}%{_datadir}/xml/scap/ssg/content/ + +# Add in RHEL-6 datastream (SCAP) +cp -a RHEL/6/dist/content/ssg-rhel6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content + +# Add in manpage +cp -a RHEL/6/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-guide.8 + +%files +%defattr(-,root,root,-) +%{_datadir}/xml/scap +%lang(en) %{_mandir}/en/man8/scap-security-guide.8.gz +%doc RHEL/6/LICENSE RHEL/6/output/rhel6-guide.html RHEL/7/output/rhel7-ccp-guide.html RHEL/6/output/table-rhel6-cces.html RHEL/7/output/table-rhel7-cces.html RHEL/6/output/table-rhel6-nistrefs-common.html RHEL/6/output/table-rhel6-nistrefs.html RHEL/6/output/table-rhel6-srgmap-flat.html RHEL/6/output/table-rhel6-srgmap-flat.xhtml RHEL/6/output/table-rhel6-srgmap.html RHEL/6/output/table-rhel6-stig.html RHEL/6/input/auxiliary/DISCLAIMER + +%changelog +* Tue Oct 21 2014 Jan iankko Lieskovsky 0.1.19-2 +- Fix Limit Password Reuse remediation script error +- Fix Set Deny For Failed Password Attempts remediation script error +- Use RHT-CCP profile name when generating HTML guide +- Describe RHT-CCP profile in the manual page + +* Mon Sep 29 2014 Jan iankko Lieskovsky 0.1.19-1 +- Include RHEL-7 content (RHT-CCP profile only) +- Drop RHEL-7 restorecond XCCDF rule since policycoreutils-restorecond in Optional channel +- Drop RHEL-7 cpuspeed XCCDF rule since obsoleted by cpupower from kernel-tools +- Update manual page to be more appropriate for RHEL-7 +- Drop RHEL-6 C2S profile update patch since merged upstream + +* Tue Sep 02 2014 Jan iankko Lieskovsky 0.1.18-4 +- Initial build for Red Hat Enterprise Linux 7 + +* Thu Aug 28 2014 Jan iankko Lieskovsky 0.1.18-3 +- Update C2S profile per request from CIS + +* Thu Jun 26 2014 Jan iankko Lieskovsky 0.1.18-2 +- Include the upstream STIG for RHEL 6 Server profile disclaimer file too + +* Sun Jun 22 2014 Jan iankko Lieskovsky 0.1.18-1 +- Make new 0.1.18 release + +* Wed May 14 2014 Jan iankko Lieskovsky 0.1.17-2 +- Drop vendor line from the spec file. Let the build system to provide it. + +* Fri May 09 2014 Jan iankko Lieskovsky 0.1.17-1 +- Upgrade to upstream 0.1.17 version + +* Mon May 05 2014 Jan iankko Lieskovsky 0.1.16-2 +- Initial RPM for RHEL base channels + +* Mon May 05 2014 Jan iankko Lieskovsky 0.1.16-1 +- Change naming scheme (0.1-16 => 0.1.16-1) + +* Fri Feb 21 2014 Jan iankko Lieskovsky 0.1-16 +- Include datastream file into RHEL6 RPM package too +- Bump version + +* Tue Dec 24 2013 Shawn Wells 0.1-16.rc2 ++ RHEL6 stig-rhel6-server XCCDF profile renamed to stig-rhel6-server-upstream + +* Mon Dec 23 2013 Shawn Wells 0.1-16.rc1 +- [bugfix] RHEL6 no_empty_passwords remediation script overwrote + system-auth symlink. Added --follow-symlink to sed command. + +* Fri Nov 01 2013 Jan iankko Lieskovsky 0.1-15 +- Version bump + +* Sat Oct 26 2013 Jan iankko Lieskovsky 0.1-15.rc5 +- Point the spec's source to proper remote tarball location +- Modify the main Makefile to use remote tarball when building RHEL/6's SRPM + +* Sat Oct 26 2013 Jan iankko Lieskovsky 0.1-15.rc4 +- Don't include the table html files two times +- Remove makewhatis + +* Fri Oct 25 2013 Shawn Wells 0.1-15.rc3 +- [bugfix] Updated rsyslog_remote_loghost to scan /etc/rsyslog.conf and /etc/rsyslog.d/* +- Numberous XCCDF->OVAL naming schema updates +- All rules now have CCE + +* Fri Oct 25 2013 Shawn Wells 0.1-15.rc2 +- RHEL/6 HTML table naming bugfixes (table-rhel6-*, not table-*-rhel6) + +* Fri Oct 25 2013 Jan iankko Lieskovsky 0.1-15.rc1 +- Apply spec file changes required by review request (RH BZ#1018905) + +* Thu Oct 24 2013 Shawn Wells 0.1-14 +- Formal RPM release +- Inclusion of rht-ccp profile +- OVAL unit testing patches +- Bash remediation patches +- Bugfixes + +* Mon Oct 07 2013 Jan iankko Lieskovsky 0.1-14.rc1 +- Change RPM versioning scheme to include release into tarball + +* Sat Sep 28 2013 Shawn Wells 0.1-13 +- Updated RPM spec file to fix rpmlint warnings + +* Wed Jun 26 2013 Shawn Wells 0.1-12 +- Updated RPM version to 0.1-12 + +* Fri Apr 26 2013 Shawn Wells 0.1-11 +- Significant amount of OVAL bugfixes +- Incorporation of Draft RHEL/6 STIG feedback + +* Sat Feb 16 2013 Shawn Wells 0.1-10 +- `man scap-security-guide` +- OVAL bug fixes +- NIST 800-53 mappings update + +* Wed Nov 28 2012 Shawn Wells 0.1-9 +- Updated BuildRequires to reflect python-lxml (thank you, Ray S.!) +- Reverting to noarch RPM + +* Tue Nov 27 2012 Shawn Wells 0.1-8 +- Significant copy editing to XCCDF rules per community + feedback on the DISA RHEL/6 STIG Initial Draft + +* Thu Nov 1 2012 Shawn Wells 0.1-7 +- Corrected XCCDF content errors +- OpenSCAP now supports CPE dictionaries, important to + utilize --cpe-dict when scanning machines with OpenSCAP, + e.g.: + $ oscap xccdf eval --profile stig-server \ + --cpe-dict ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml + +* Mon Oct 22 2012 Shawn Wells 0.1-6 +- Corrected RPM versioning, we're on 0.1 release 6 (not version 1 release 6) +- Updated RPM includes feedback received from DoD Consensus meetings + +* Fri Oct 5 2012 Jeffrey Blank 1.0-5 +- Adjusted installation directory to /usr/share/xml/scap. + +* Tue Aug 28 2012 Spencer Shimko 1.0-4 +- Fix BuildRequires and Requires. + +* Tue Jul 3 2012 Jeffrey Blank 1.0-3 +- Modified install section, made description more concise. + +* Thu Apr 19 2012 Spencer Shimko 1.0-2 +- Minor updates to pass some variables in from build system. + +* Mon Apr 02 2012 Shawn Wells 1.0-1 +- First attempt at SSG RPM. May ${deity} help us...